The Green Sheet Online Edition
February 24, 2014 • Issue 14:02:02
Mothballs for XP raises security concerns for ATM ISOs
ISOs that service and support ATMs face a dilemma come April 2014, when Microsoft Corp. discontinues support for the Windows XP operating system. Without support for the operating system on which most of the 420,000 ATMs in the United States run, ISOs that fail to migrate ATMs to the newer Windows 7 may face increasing fraud risks on those ATMs.
According to the ATM Industry Association, when April 8, 2014, rolls around, Windows XP support services, including security updates, nonsecurity "hotfixes," free or paid assisted support options, and online technical content updates will no longer be offered. "No company can afford to ignore such an important change," said Mike Lee, Chief Executive Officer at the ATMIA.
In a report titled Risks of Maintaining Windows XP Platform for ATMs, the ATMIA said, "Continuing to operate on the Windows XP platform after the end of the support lifecycle exposes financial institutions and independent ATM deployers to security, operational and compliance risks." Windows XP will thus be an open and unguarded target for malware into perpetuity, with security risks including attacks to ATM networks, local ports and browsers, the paper stated.
By not migrating from XP to Windows 7, ATM operators also jeopardize their compliance certification status. "Windows XP doesn't offer the kinds of integrated security features the latest versions of Windows have integrated, and software running in Windows XP is unlikely to pass the standards set forth by the Payment Card Industry (PCI) or EMVCo," the ATMIA said.
Default, not design
Scott Kinka, Chief Technology Officer at bank and credit union cloud service provider Evolve IP LLC, said 95 percent of ATMs in the United States run on Windows XP. The operating system gained dominance essentially by default, not by ATM industry design. Kinka said XP was chosen over other operating systems, such as the arguably more secure Linux operating system, because it was the only "stable" option available when ATM growth began to occur. "XP has been around since 2001, and Linux was not in wide use for these types of systems at that time," he said.
Kinka noted that a small percentage of ATMs run on Windows XP Embedded (XPe), Microsoft's stripped-down version of XP. "In most cases XPe doesn't need frequent patching as they're locked down and set up to function like dumb terminals, merely passing data along to a back room or an online server," he said. "That makes Windows Embedded devices inherently more secure."
Since Microsoft is continuing tech support for XPe until early 2016, ISOs that operate ATMs on XPe have more time to migrate to Windows 7.
Resources for ATM ISOs
For Windows users, "Patch Tuesday" is a familiar term, as it is the second Tuesday every month when Microsoft issues security patches for its operating systems. Since Windows XP was launched, there have been over 700 vulnerabilities found in the operating system, according to the ATMIA.
Reportedly, most ATM fraud involves the manipulation of ATM hardware, but software attacks have become increasingly popular. Even with the development of new operating systems for computers, Windows XP continues to be a target for fraudsters, and for that reason the association believes the operating system will remain a popular target past Microsoft's support termination date.
Lee told The Green Sheet that Microsoft made the announcement to stop Windows XP support toward the end of 2012, so the ATM industry has had "plenty of warning" about the impending deadline. Admitting it can be an expensive and time consuming proposition to migrate ATMs to the newer operating system, Lee said ATM ISOs must work with their software vendors to facilitate the process.
The ATMIA offers resources for ISOs in making the transition. "ATMIA has made available a list of FAQs and the answers from Microsoft to these industry questions," Lee said. "There is also case study material of a method for remote deployment of new software to save costs and on-site visits in migrations of this nature and a risk assessment report with some best practice recommendations."
ATMIA also outlined the risks of continuing to operate XP after the deadline and explained the steps that need to be taken to address these risks.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.